#DNS not working which is giving trouble getting ldap up and running

Hi All, I've been working on to getting ldap Acitve Directory working on our nabox installation. But I'm running into a few little problems. (outputs are anonimized)
First off, we have setup dns in the network config. But when logged in into the cli and if I run dig <domaincontroller> I get nothing in return.

;; QUESTION SECTION: ;<domaincontroller>. IN A

I can however ping the domaincontroller. And also connect to the port 53 (nc -zv ipaddr 53)
The Grafana ldap config is reporting that is unable to lookup the domain controller.

Connection error domaincontroller:636 dial tcp: lookup domaincontroller: Try again

As a test I've added the domain controller to /etc/hosts just to see if grafana is picking up the hostname with ip. And it does. But this brings me to the second issue;

Grafana ldap config now show a different message.
Connection error domaincontroller:636 tls: failed to verify certificate: x509: certificate signed by unknown authority

It is true that we have our signing authority running.

I've also tried filling in the IP address of the domaincontroller in the ldap config. But that fails as well on the message that the IP address is not added to the certificate's SAN. Which is to expected.

My main questions, who can we get dns working properly so I can remove the /etc/hosts entry.
And what can we do about the certificate authority message.

Any help is appreciated.

M.

DNS not working which is giving trouble getting ldap up and running

@rich locust

resolvectl status ens192 ?

Did you configure your CA certificate in NAbox SSL settings ?

resolvectl comes back with this. (again anonimized)
map0050 / # resolvectl status ens192
Link 2 (ens192)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: x.x.x.1
DNS Servers: x.x.x.1 x.x.x.x.2

And these are the correct dns servers.
I've went through the network setting on the host again. And i've changed the hostname and dropped the domain.local which seems to help for DNS.

I colleague just mentioned that the sub ca has been renewed a couple of weeks ago. Too bad no one told us. So i've been working with the old sub ca.... Just renew the root ca bundle. Cert error is gone now. although I need to play with the search and base DN, the settings used from nabox3 do not seem to work. Testing in Grafana comes back with: No user was found in the LDAP server(s) with that username

Thank you for pointing me in the right direction. Only thing left is to get DN's right.
Just one more question. When logging in with your AD account in grafana is it only username and password, do I need to add the domain as well. Like username@domain.local or domain\username?

Oh you are using .local tld ? Yes that’s a problem if you don’t add it to the search domain also

Username is enough I believe. The sAMAccountName

Let me know if you can't cofigure LDAP, it should accept the same parameters as v3, and I did some changes necessary for other LDAP servers hopefull it didn't have an impact on AD

I think I need some extra help.
Looking in the logs of docker logs grafana it looks like authentication with AD fails for ldap users.
In the logging you can see me logging out the admin user @ 12.48:52
And then trying to login with my AD account @12.50:00 which fails.

Can I upload the logs for you to check? Can you also provide an upload link?

https://upload.nabox.org/gaqa-viwo-wycu

Uploaded

Did ou try the ldap troubleshooting page in Grafana ?

on a side note, you might want to delete all dashboard so they can reprovision correctly, looks like grafana is getting mixed in ids

I've seen the errors of the dashboard. I will look into this.

As for ldap. I've went through documentation for ldap in grafana as well forum posts, but so far I pretty much came up blank. The only thing I didn't do was filling the full DN of the service account querying AD instead of only using the username. And low and behold. I can query my username in grafana and I'm able to login as well.

wait... you can login with your user ?

Yes

All good then ?

Yes. All good. In short. BIND DN must be the full CN,OU,OU,DC,DC format in our case.

thank you for everything